Re: [Openstack] Keystone w/ LDAP identity

Thu, 01 May 2014 17:01:18 -0700 

On 05/01/2014 06:17 PM, Lillie Ross-CDSR11 wrote:
I've been playing with using LDAP authentication (identity) and SQL authorization (assignment) within Keystone in the current devstack release running in a single VM. 


The problem with this setup, as I understand it, is the need to have 
LDAP entries for each service user (i.e. nova, glance, etc.).  In our 
environment, this isn't possible as our corporate LDAP directory is 
solely for employee records.  While I could work around this issue by 
running each service under a known LDAP employee record - this seems 
rather a kludge to me.



My question is, and admittedly I'm not well versed in directory 
federation, is this an issue that could be resolved once directory 
federation is stable in the next Openstack release? Where, for 
instance, all of the openstack service accounts could remain in a 
separate directory service controlled solely by the cloud owner/admin, 
while user's could then be authenticated via the corporate employee 
LDAP database?



We'd love to use LDAP to authenticate cloud user's, but with the need 
to also authenticate openstack services against the same LDAP backend 
makes the use of LDAP unviable in our environment.

We have no solution for that under Icehouse.  This topic is one of the 
high priorities for the Keytone team at the Icehouse summit.






This has probably been discussed previously, but any insight would be 
helpful.


Thanks and regards,
Ross
--
Ross Lillie
Distinguished Member of Technical Staff
Motorola Solutions, Inc.

motorolasolutions.com <http://motorolasolutions.com>
O: +1.847.576.0012
M: +1.847.980.2241

E: ross.lil...@motorolasolutions.com 
<mailto:ross.lil...@motorolasolutions.com>






_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack






















					Reply via email to